Custom bearer token not redacted
SkypLabs opened this issue · comments
Preflight checklist
- I could not find a solution in the existing issues, docs, nor discussions.
- I agree to follow this project's Code of Conduct.
- I have read and am following this repository's Contribution Guidelines.
- This issue affects my Ory Network project.
- I have joined the Ory Community Slack.
- I am signed up to the Ory Security Patch Newsletter.
Describe the bug
By default, Oathkeeper redacts sensitive values from the logs like the Authorization HTTP header and cookie values. However, when defining a custom bearer token in the bearer_token authenticator, the value of this token is not redacted.
I think this is a bug as I explicitly defined a specific HTTP header in the bearer_token authenticator as comprising a sensitive value, so its value should be redacted.
Reproducing the bug
- Start an Oathkeeper instance with a
bearer_tokenauthenticator configured to retrieve the secret from a custom HTTP header (X-Fallback-Cookiesin my configuration example). - Send an HTTP request comprising the custom HTTP header to the Oathkeeper instance.
- The value of the custom HTTP header is visible in the logs, which is not the desired behaviour.
Relevant log output
time=2023-03-21T10:00:53Z level=info msg=started handling request http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 accept-encoding:gzip, deflate, br accept-language:en-US,en;q=0.5 dnt:1 sec-fetch-dest:document sec-fetch-mode:navigate sec-fetch-site:none sec-fetch-user:?1 upgrade-insecure-requests:1 user-agent:Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 x-appwrite-project:xxx x-fallback-cookies:{"a_session_xxx": "eyJpZCI6IjY0MTM0MjIwMmMzNDRjOTVkODkwIiwic2VjcmV0IjoiZGJlNDExMmRiZTVhYmVkMWY2ZTE2NGJkYjUzODU3ODZjZTA1MzQ2OTVlOGU2NWE3NDk2MjQ3NTVhNjQ2MTI4OTQ1NmZmMjk4YjhiM2E0YzkzNWYzNTZmYjdlMTY3NTMyNmQwZWJlZjkzY2IxMzk3MDk5YzZmOTMyYjQyNTRiNGQ2ODQyMTQxNzNiYTJkNzRkODZiOTM1ZGM2MjMyYWZkNjc2ZjkxOGIyYzY3NjcxZDhjYzgxOTNkNWFhZGNkMDE5NWE3ZjNlMzgzNjQ0Y2E3YmZiYWVhY2Q5NjBiZTc2NjJkNzM4ZTgyODE4OTgzNjQzZmVmZTYyYjliMWQzMTYzMyJ9"} x-forwarded-for:172.21.0.1 x-forwarded-host:whoami.example.com x-forwarded-method:GET x-forwarded-port:443 x-forwarded-proto:https x-forwarded-server:6af04422d9d4 x-forwarded-uri:/ x-real-ip:172.21.0.1] host:api-gateway:4456 method:GET path:/decisions query:<nil> remote:172.21.0.1:42842 scheme:http]
time=2023-03-21T10:00:54Z level=info msg=Access credentials are invalid audience=application service_name=ORY Oathkeeper service_version=v0.40.1
time=2023-03-21T10:00:54Z level=info msg=Access request denied audience=application error=map[debug: message:Access credentials are invalid reason: status:Unauthorized status_code:401] granted=false http_host=api-gateway:4456 http_method=GET http_url=https://whoami.example.com/ http_user_agent=Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 service_name=ORY Oathkeeper service_version=v0.40.1Relevant configuration
authenticators:
bearer_token:
enabled: true
config:
check_session_url: http://appwrite/v1/account/sessions/current
preserve_path: true
force_method: GET
subject_from: userId
token_from:
header: X-Fallback-Cookies
forward_http_headers:
- X-Appwrite-Project
- X-Fallback-Cookies
log:
level: debug
format: text
leak_sensitive_values: falseVersion
0.40.1
On which operating system are you observing this issue?
Linux
In which environment are you deploying?
Docker Compose
Additional Context
No response
This issue makes sense to me and feels like it should be fixed. Currently, the list of redacted headers is hardcoded here.
We would need a mechanism and API in that package to conditionally redact more headers.